The Federal Trade Commission (FTC) has imposed a fine of $1,500,000 on GoodRx Holdings for failing to report they were disclosing sensitive consumer health information to Google, Facebook, Criteo, Branch, Twilio, and other companies.
GoodRx is a California-based healthcare company offering telemedicine services, an online platform and mobile apps, drug coupons for discounts on 75,000 pharmacies across the United States, and more.
Inevitably, this puts the firm in an excellent position to collect sensitive health data, and according to public data, over 55 million people have used its services.
As explained in the U.S. government agency’s announcement, Goodx was engaging with Google and Facebook to facilitate targeted advertising on the platforms of all parties, so the company is essentially guilty of using people’s health information to make a profit.
This practice violates the FTC Act, a federal law protecting consumers from deceptive or anti-competitive business practices.
FTC’s announcement also states that GoodRx falsely claimed compliance with the applicable privacy laws, failing to comply with their dictations.
By taking into account all of the above, the number of impacted individuals, and the duration of the violations, the U.S. Department of Justice, on behalf of the FTC, has ordered GoodRx to pay a $1.5 million civil penalty.
“Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information,” stated FTC’s Director of Consumer Protection Bureau, Samuel Levine.
“The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”
This is a milestone case for the FTC, as this is the first time that such a penalty has been imposed over a private company via the U.S. DoJ. FTC’s Commission voted unanimously in favor of referring the complaint to the U.S. DoJ.
GoodRx must now also ask all third parties who had acquired user data from them to delete it, and is prohibited from ever sharing user health data with marketers and advertisers in the future. In addition, for sharing user data with appropriate third parties, the firm must obtain its users’ consent first.
Finally, GoodRx will also have to implement a mandated privacy program built around solid data protection safeguards, and it should limit the data retention period to the minimum required. A detailed schedule for data types collection and retention must be published and clearly communicated to the users.
FTC’s fine on GoodRx serves as a warning to digital health companies and mobile apps, which should not profit from consumers’ sensitive and personal health information.